JWT Decoder
Paste a JSON Web Token to decode its header and payload, inspect the claims, and check expiry. Everything is decoded locally in your browser.
About this tool
A JSON Web Token (JWT) is a compact, URL-safe token used for authentication and information exchange. It has three parts separated by dots: a header (the algorithm and type), a payload (the claims — who the token is for and what it grants), and a signature. This decoder splits the token and Base64URL-decodes the header and payload so you can read what's inside.
Decode only — not verified
This tool decodes a JWT so you can read it; it does not verify the signature. A decoded payload is not proof the token is authentic. Anyone can read a JWT's contents — never put secrets in a payload, and always verify the signature server-side before trusting a token.
Reading the claims
Common payload claims include sub (the subject/user), iss (issuer), aud (audience), iat (issued-at), nbf (not-before) and exp (expiry). This decoder converts the timestamp claims into human-readable dates and shows whether the token has expired.
Privacy
The token is decoded entirely in your browser. It is never transmitted, so you can safely inspect tokens from your own apps and APIs.
Frequently asked questions
A JSON Web Token is a compact token with three Base64URL parts — header, payload and signature — used mainly for authentication. The payload carries claims about the user and their permissions.
No. It only decodes the header and payload so you can read them. Verifying authenticity requires the signing secret or public key and must be done server-side. A decoded token is not proof it is valid.
Decoding happens entirely in your browser and the token is never sent anywhere. Still, treat real tokens as sensitive — a valid token can grant access until it expires, so avoid sharing it.
Check the exp claim, a Unix timestamp for when the token stops being valid. This decoder converts exp, iat and nbf into readable dates and flags whether the token is currently expired.